Mirrors/dolibarr
1
0
Fork 0
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-02-20 13:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

FIX #yogosha8628

Browse Source
This commit is contained in:
Laurent Destailleur 2022-02-04 15:14:10 +01:00
parent f99e19e729
commit 5249840402
2 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/core/lib/functions.lib.php
View File

@ -9236,7 +9236,7 @@ function dolIsAllowedForPreview($file)
/**
* Return mime type of a file
* Return MIME type of a file from its name with extension.
*
* @param string $file Filename we looking for MIME type
* @param string $default Default mime type if extension not found in known list

5
htdocs/viewimage.php
View File

@ -229,6 +229,11 @@ $original_file = str_replace('..\\', '/', $original_file);
// Find the subdirectory name as the reference
$refname = basename(dirname($original_file)."/");
// Check that file is allowed for view with viewimage.php
if (!dolIsAllowedForPreview($original_file)) {
accessforbidden('This file is not qualified for preview', 0, 0, 1);
}
// Security check
if (empty($modulepart)) {
accessforbidden('Bad value for parameter modulepart', 0, 0, 1);